Solved: FDM and NPS, test works but can't login

richard.priest · ‎05-18-2020

Hi,

just trying to setup external RADIUS authentication to our Firepower 2110 boxes, we don't have FMC so it's the on box FDM for config.

I've created a security group in AD and the specific policies in the NPS, with the attribute fdm.userrole.authority.admin added to the cisco-av-pair attribute.

When I test authentication I get a success notification

However when attempting to login I am uncusessful

Can anyone advise where I may have gone wrong in setting this up?

EDIT:

Checking the NPS logs I can see it's approved the access request

Many thanks

Rich

Marvin Rhoads · ‎05-18-2020

You're welcome. The RADIUS test is just basically checking shared secret and if the device is valid on the RADIUS server.

I agree it would be useful if it actually processed the full authorization request and checked the result.

Seeing the actual packets often helps us cut through what we think is happening vs. what's actually going on. Back when I was learning ISE seeing the actual attributes and their values was my "ah ha" moment for grokking the computer science term "A-V pair".

View solution in original post

Marvin Rhoads · ‎05-18-2020

Did you setup NPS to return the Cisco A-V pair "fdm.userrole.authority.admin"? (or .ro or .rw for read-only and read-write users) That's required to make it work. A simple "Access-Accept" won't do it.

I just tested and setup using ISE in my lab and that last bit was the key.

Reference the online help in your FDM:

https://<your FDM address>/#/help/t_configuring_external_authorization_aaa_for_firepower_device_manager_users.html

FDM User with External Authentication FDM User with External Authentication

FDM Authorization Result in ISE FDM Authorization Result in ISE

richard.priest · ‎05-18-2020

Yeah I did, I don't have ISE unfortunately so am just using windows NPS

FWIW this is the attribute setting in the NPS policy

Marvin Rhoads · ‎05-18-2020

Hmmm, if NPS is returning that value in the Cisco AV pair it should work.

I'd check with a packet capture on the NPS server filtering to the FTD address. RADIUS is plain text so you should be able to confirm the value is being sent back to FDM in the RADIUS reply message.

richard.priest · ‎05-18-2020

that's a great idea!

I've actually figured it out / fixed it, but I'm going to wireshark anyway for curiosity/professional interests sake.

When I created the NPS policy I added the RADIUS attribute to the network policy rather than the connection policy.

I do find it vexing that when testing FDM reported a success even though it wouldn't work mind.

For any future google searchers, set it in here:

Really appreciate the help!

Cheers

Rich

Marvin Rhoads · ‎05-18-2020

You're welcome. The RADIUS test is just basically checking shared secret and if the device is valid on the RADIUS server.

I agree it would be useful if it actually processed the full authorization request and checked the result.

Seeing the actual packets often helps us cut through what we think is happening vs. what's actually going on. Back when I was learning ISE seeing the actual attributes and their values was my "ah ha" moment for grokking the computer science term "A-V pair".

EminaBrkanic · ‎03-12-2025

This help me thanks-

Did you manage to authenticate users for ssh connection in same way?

EminaBrkanic · ‎03-13-2025

I did it. Same logic applies only, for ssh service-type need to be set to administrative.

and don't use "." in username.

cheers

FDM and NPS, test works but can't login

Como Configurar BGP no Cisco Firepower FDM

Instalação e Configuração do Cisco Firepower Virtual (FDM)

FDMでのHA設定手順

Configure o NPS para redes Wireless

Application PBR in FDM